By Jason Symons, Partner

The spirit of the 2023-2030 Australian Cyber Security Strategy and supplementary Action Plan is very positive and in the right direction. The 6 ‘cyber shields’ of the Strategy (see here) comprise aspirational goals that we must strive towards.  However, they give rise to a number of important legal questions that need to be addressed, and that will not be easy.

Whether the lawyer is invited into the (incident/war) room or not, the following legal issues in the incident response context arise from the Strategy:

“Cyber Security Act” – The Strategy’s prior Discussion Paper released in February 2023 (see here) said that a ‘core policy area’ was “enhancing and harmonising regulatory frameworks” under a potential new “Cyber Security Act”.  The Government recognised a desire to “simplify and streamline reporting frameworks” including “response requirements following a major cyber incident”.  The new Act would draw together all “cyber-specific legislative obligations and standards across industry and government”.  However, the Strategy does not (yet?) address that significant task.  Harmonising the legal requirements associated with responding to an incident across multiple pieces of legislation, with distinct purposes, will require a co-ordinated, industry-inclusive, clear plan, and time.  Like any significant legislative change, political factors will also play a role in terms of any change in Government or make up of the voting houses.  Whether we will see a new Cyber Security Act in the future is difficult to judge, but it is a long way off now.

Single reporting portal – The Strategy plans to develop a single regulatory reporting portal for cyber incidents to make things ‘easier’ for entities and ‘simplify’ incident reporting.  This makes sense, because we now clearly have the technology tools to do it, and the community is getting used to using such tools.  However, the single portal will need to transverse the different legislative tests that apply to when reporting is required for a cyber incident under the different laws and regulations, and what information is required, in an ‘easy-to-use’ functional way.  The portal may be a landing page at cyber.gov.au that branches off to different reporting sites for many of the 14 plus agencies listed next to Shield 1.6.1 in the Action Plan.  Making that ‘easier’ for the user is the challenge.

No-fault, no-liability, ransomware reporting – The Strategy plans to “co-design with industry options to legislate a no-fault, no-liability ransomware reporting obligation”.  The Strategy addresses under-reporting and the Government’s desire to be informed of all ransomware attacks (when many attacks do not trigger any of the legislative reporting frameworks) by proposing mandatory ransomware reporting (presumably via the portal).  However, what threshold ‘test’ will apply is not yet stated (e.g. the SOCI Act test requires critical infrastructure to be involved, which narrows it significantly).  The obligation will be on a ‘no-fault, no-liability’ basis.  However, Shield 1.4.1 does not specify what ‘fault’ or ‘liability’ it is referring to.  Whether it refers to the underlying conduct, the reporting itself, future government action, and/or third-party liability (unlikely) will need to be worked through.

Limited use of information shared – The Strategy indicates the Government will encourage ‘open engagement’ during an incident by legislating a “limited use obligation for ASD and the Cyber Coordinator” in relation to information provided during the response to an incident.  This legislation will limit in some way what information the ASD and Cyber Coordinator shares with other Government entities and regulators.  However, significantly, the ‘limit’ will not go as far as preventing the information being used for regulatory or law enforcement actions, or provide immunity from legal liability.  This issue is clearly an urgent one as an interim approach is currently being developed with the ASD.

No-fault post-incident reviews – The Strategy also includes establishing a Cyber Incident Review Board, like the US Cyber Safety Review Board, to conduct “lessons-learned reviews of significant cyber incidents”.  The reviews will not interfere with the incident response itself, but would take place at some point in time later.  However, how significant is “significant” is not stated, nor whether the Board would have the power to compel businesses to participate. Importantly, the Board will not make “findings of fault”, but would share the “lessons-learned” with the business community and wider public.  Presumably they would be shared anonymously (like what the OAIC does in its 6-monthly data breach reports), but Shield 1.5.2 does not say.

Legal professional privilege – Information reported or shared during the incident response or during an incident review process is open to potential future discovery in a class action or other litigation. Communications regarding the incident investigation may also not be protected by legal professional privilege unless the engagement of the forensic experts is undertaken in accordance with the established legal principles. It is understandable these concerns are not the priority in the immediate response. However, cyber incidents have a potential (very) long tail, with organisations being exposed to liability risk for a long time. Whether the Strategy is the right forum to address these competing priorities will (hopefully) be discussed as industry is engaged regarding the previous 3 issues above.

Ransomware playbook – The Strategy plans to build a ransomware playbook to provide “clear guidance to businesses and citizens on how to prepare for, deal with, and bounce back from ransom demands”.  The Government’s clear position on ransom demands is to never pay as paying fuels the ransomware business model and does not guarantee data will be recovered.  However, the Strategy provides no plan by the Government to ban ransom payments in the near future.  Given this position, the playbook will not provide guidance on how to pay a ransom if the business chooses to pay in the circumstances of their attack.  This means that businesses will still need guidance from cyber lawyers experienced in advising on ransom payments, when planning for a ransomware attack or responding to one.  If anti-money laundering and counter-terrorism financing laws, and digital currencies regulation, are reformed as flagged in the Strategy, this becomes even more important.

Industry code for incident responders – The Strategy plans to co-design an industry code of practice for cyber security firms engaged as incident response providers.  I have the pleasure of working with many of the ‘best-in-the-business’ cyber security firms that we engage on behalf of clients in response to cyber-attacks.  A code that brings the industry standard for all incident response providers up to the standard we see on a daily basis can only be a good thing.

Third-party supply chain attacks – The Strategy recognises the risk posed to large organisations by incidents affecting smaller third-party organisations in their supply chain.  The Strategy plans to uplift the cyber security of small and medium business through further free support and advice.  The Strategy also makes specific reference to clarifying the obligations for managed service providers given the prevalence of recent significant incidents involving MSPs.  Given that incidents can involve multiple affected entities, how one entity reports or shares information about an incident can impact other entities.  How the proposed no-fault no-liability and limited use frameworks of the Strategy relate to third-party supply chain attacks will be important to consider.

The 2023-2030 Australian Cyber Security Strategy is the most significant effort by Government to address the cyber security threat to Australians and Australian businesses.  Addressing these legal issues over the development of the Strategy has the potential to make it a robust plan that is both aspirational and pragmatic.